I am trying to figure out how to get a VLAN working for OpenWrt-based RPi4. The RPi4 has 2 ethernet interfaces: one for the WAN, and the LAN side plugs into Port 1 of a TP-Link SG108e managed switch.
My IOT devices attach via an Archer A7 which provides Wifi for IOT devices as well as two IOT devices that plug directly into the Archer's switch. The Archer A7 is a dumb AP and plugs into Port 8 of the SG-108e.
I want the Archer and everything plugged into it to be assigned to VLAN #3, get IP addresses in the 192.168.3.x subnet, and be assigned to its own firewall zone on the RPi4.
I need some help on how to do this! Here's what the VLAN screen on the SG-108e looks like:
I am not sure I am doing this correctly, and I don't know how to set this up correctly in OpenWrt on the RPi4 side. I think I need to make a bridge device/interface to take the VLAN #3 traffic but I am confused how to go about this.
In the switch, make the port connected to the Pi tagged in both VLANs (this means in the Pi configuration you'll need to change lan from eth0 to eth0.1 for lan to continue to work). Remove switch port 8 from VLAN 1. If your AP is only handling the IoT you can leave it untagged VLAN 3 on port 8.
No as listed you only have one port a member of VLAN 3 and that means it can't actually switch anything, there have to be at least 2 ports that are members.
If you tag port 8 you'll have to configure the Archer A7 to use tagged packets. That is a good thing to have for the long term though since then you can expand to having more VLANs going into the A7.
You can't delete VLAN1 but you can eventually move all the ports out of it, as long as they are in some other VLAN and the PVID is set to that other VLAN. Here though you should keep VLAN1 as trusted LAN traffic. Port 1 should be tagged in VLAN 1 as well as 3.
Thanks for your help and patience -- I feel out of my depth here. I have used ddwrt and OpenWrt for a decade or so, but always with a very simple configuration. The whole VLAN tagged/untagged confuses me.
Do I have this right?
On the SG-108e switch, Ports 1 & 8 tagged in VLAN 3. (See the screenshot above) The switch also has VLAN #1 but all ports are untagged.
On the RPi4 router, I'll need eth0.1 and eth0.3 devices.
On the Archer AP, I need eth0.3 because its incoming traffic will all be tagged VLAN 3 by the switch, correct? (This confuses me a little, because I don't need the Archer to worry about VLANs. Everything it handles is IOT. I can't make it agnostic and leave it with eth0?)
Do I create the eth0.1 and eth0.3 devices on the router and AP by adding device configuration 802.1q on base device eth0?
Apologies - I've watched a bunch of videos but they seem to be based on an older version of OpenWrt and the procedures don't sync up exactly.
You cannot have the same VLAN both tagged and untagged on the same port. In your screenshot, VLAN 1 is still untagged on all ports. You need to set VLAN 1 is tagged on ports 1 and 8.
Make VLAN 3 untagged on the port that connects to the Archer. Simple as that.
I can't edit VLAN 1 on the switch. The 802.1Q config only accepts 2-4094 as VLAN ids. Should I get another switch? This one is a TL-SG108e v2 from 2016. No firmware updates available. Or can I do this using Port Based VLAN or 802.1Q PVID settings?
On your second point - you mean untag VLAN 3 in OpenWrt on the Archer, right?
Strange. I have a TL-SG105e v4 (which I rarely use) and it allows VLAN1 to be edited.
This switch series is junk... I wish I hadn't bought mine.
The other way you can handle this is to not use VLAN1 -- you can use another VLAN ID. Or you can use VLAN 1 untagged on everything (some people say you should never have an untagged network on a trunk port, but the standard allows for it, so it should work without issue -- I do this in my own network and it's fine).
If your Archer is currently setup without VLANs/tagged networks, you can simply set the respective port on the TL-SG108E to untagged for VLAN 3. Then go into the PVID settings and set PVID for that port to VLAN 3.
I think (but am not positive) that starting with hardware version 3, they issued a firmware update that addressed this. It has worked fine for me when all I needed was a glorified hub/splitter but seems to be showing its limitations now that I'm getting more ambitious.
I'm going to replace my TL SG108e switch with a Netgear GS308e. My TP switch doesn't have any firmware updates since 2016 and it's got other annoyances that bug me. (for example, silly restrictions on the passwords that any beginner programmer could have fixed.)
When setting up external switches, think in terms of two ways a port can work. There are other ways a port can potentially work by mixing tagged and untagged on the same port, but you should really avoid trying that. The two simple ways are:
"Trunk" ports which go to a VLAN-aware device like your Pi have all relevant VLANs tagged.
"Access" ports for devices which use ordinary untagged Ethernet are untagged in one VLAN and off in all the others.
The PVID setting determines which VLAN will receive an untagged packet that arrives on a port. For an access port, that must be the same VLAN that is used for output. Untagged packets should never arrive on a trunk port. So the PVID setting on trunk ports is not so important. To safely dispose of these packets which can only result from a configuration error or a malicious operation, I set up some otherwise empty VLANs which exist only to be the PVID of the trunk ports.
Once you have assigned its PVID to something other than the default of 1, you should be able to remove a port from VLAN 1. You can't delete VLAN 1 but as @trendy has done you can completely empty it.
My favorite switch of these $30 price class ones* is the Zyxel GS1200-8. It has a better user interface and an important security feature that the webui can be restricted to one VLAN.
There's really not a lot to like about these switches other than the $30 price.
Thanks - really appreciate it. What does one get from a more expensive switch? This is just for my home so beyond 1 gigabit speed and VLAN, I can't think what more I need. (Don't even have a need for PoE, at least not now...)
Thinking about my setup:
Can I set the PVID of Port 8 (connected to the IOT AP) to 3, and have Port 1 (connected to the RPi) set 1t 3t? If I understand correctly, this would tag all traffic coming into or going out of Port 8 as VLAN 3, while traffic on Port 1 would be either VLAN 1 or 3 depending on its origin.
then a packet for the guest network leaving the Pi tagged 3 (from eth0.3) will enter port 1 of the switch, have the tag removed, and emerge from port 8 untagged. A reply (untagged) from the C7 will have a tag of 3 added and return to the Pi on its VLAN 3.
Making port 8 a trunk port including VLANs 1 and 3:
Port 8 tagged on VLANs 1 and 3
Port 8 PVID = don't care
works almost the same except the C7 then needs to handle tags, the same as the Pi. Notice in this case the configuration of ports 1 and 8 is the same, thus packets for either VLAN get trunked across.
I need a VLAN device for VLAN 3. Do I add a VLAN on the base device eth0, or use Bridge VLAN Filtering on br-lan? Each time I figure out part of this, another segment makes me confused again.
